[Freeipa-users] Kerberos authentication failed: kinit: Included profile directory could not be read while initializing Kerberos 5 library

Rob Crittenden rcritten at redhat.com
Wed Jan 4 13:44:29 UTC 2017 

Alan Latteri wrote:
> Well on new installs of Cent 7.2, when I do `yum install ipa-client`, that is the version provided.
> Unfortunately, most of our systems have to be on Cent 7.2, not 7.3, and it is out of our control.

Either way it's a bug somewhere in ipa-client, it should require a
minimum version of krb5-libs which provides this file (or explicitly
check for existence of this directory). I opened a ticket on it,
https://fedorahosted.org/freeipa/ticket/6589

rob

> 
> Alan
> 
>> On Jan 3, 2017, at 8:33 PM, Rob Crittenden <rcritten at redhat.com> wrote:
>>
>> Alan Latteri wrote:
>>> Further investigation.
>>>
>>> On a clean install of CentOS 7.2 with IPA Client 4.4, /etc/krb5.conf.d/ is missing, and therefore initial setup will fail unless manual creation of /etc/krb5.conf.d/
>>> Maybe the install script for the client can be updated to check for and create?
>>
>> Is there a reason you're running 7.3 packages on a 7.2 system? I suspect
>> that is the problem. AFAIU in 7.3 this directory is provided by krb5-libs.
>>
>> Is there some feature you need in the 4.4 client installer on 7.2?
>>
>> rob
>>
>>>
>>> Thanks,
>>> Alan
>>>
>>>> On Jan 3, 2017, at 1:44 PM, Alan Latteri <alan at instinctualsoftware.com> wrote:
>>>>
>>>> Thanks Rob.
>>>>
>>>> /etc/krb5.conf.d/  was in fact missing from the client, which is still on CentOS 7.2 for reasons out of our control.
>>>> Other hosts that are CentOS 7.2 running IPA Client 4.2.0 also do not have the /etc/krb5.conf.d/ directory, but are running fine.  So maybe the 4.4 client requires that dir but is not making it on upgrade and the cause of the failure?
>>>>
>>>> Alan
>>>>
>>>>> On Jan 3, 2017, at 1:25 PM, Rob Crittenden <rcritten at redhat.com> wrote:
>>>>>
>>>>> Alan Latteri wrote:
>>>>>> Log is attached.
>>>>>
>>>>> Look and see if /etc/krb5.conf.d/ and
>>>>> /var/lib/sss/pubconf/krb5.include.d exist and are readable (and check
>>>>> for SELinux AVCs). I'm pretty sure this all runs as root so I doubt
>>>>> filesystem perms are an issue but who knows.
>>>>>
>>>>> You can also brute force things using strace -f to find out exactly what
>>>>> can't be read.
>>>>>
>>>>> rob
>>>>>
>>>>
>>>>
>>>> -- 
>>>> Manage your subscription for the Freeipa-users mailing list:
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> Go to http://freeipa.org for more info on the project
>>>
>>
>

More information about the Freeipa-users mailing list